I like how this is supposed to be impressive despite 99% of the passwords probably being for stuff that no one cares is compromised like trash e-mail accounts and so on.

Then, Keyloggers usually require permissions that mean you have to actually approve/install untrusted software explicitly, so maybe a decent number of them are the bank accounts of terminally illiterate people.

Even though my passwords aren't super strong, they aren't one of the "25 most common passwords", either, so I'm probably good to go. After all, the crooks are looking for easy pickings, so I'm guessing they hit each account with about 10,000 of the most common passwords, and if they don't get in they more on to the next account.

Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.

/ * - don't use that password, as it's on "the list"//my shortest password is 8 characters, and ALL of them use all 4 types of characters///nobody gives a shiat about you or me, they're just looking for easily cracked accounts

Mugato:Stone Meadow: Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.

Mine's a random collection of 7 uppercase letters, lowercase letters and numbers, which turns out is a pain in the ass to type on a phone but it's been my password for 15 years.

I read that two real words that are unrelated are harder to crack than random characters. Like elephantdildo would be harder to crack than kkdb37A1. I dunno. I almost flunked number theory.

I should clarify that it takes more than a week (at 10k attempts per second) to cover the entire 4-type 8-character space. The effort might get lucky in the first second.

Ignoring that your first example has more characters than your second, you're leaving number theory and getting into human factors. Actual attempts to crack passwords don't rely on brute force at first. They try thousands of common guesses first, everything from names and dates to easy strings (123456) and other easily typed combos like "cfT68ik,", which may look random, but is an easily typed 4-type, 8-character combination (and surely on the first 10k tries, so don't use it).

Anyway, human factors is why two random words together (really, words not found together in human writing) can be tougher to crack than seemingly random strings...there isn't any "psychology" to help guess the word.

Stone Meadow:Even though my passwords aren't super strong, they aren't one of the "25 most common passwords", either, so I'm probably good to go. After all, the crooks are looking for easy pickings, so I'm guessing they hit each account with about 10,000 of the most common passwords, and if they don't get in they more on to the next account.

Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.

[blogs.technet.com image 624x266]

10,000 attempts per second? Try 20 twenty million for many home PCs.

Last week I wrote something that showed someone that their "encryption" was junk. It generated the encrypted code for every card number in 6 seconds on a three year old cheap computer.

Most of the password cracking systems will try a common password against millions of user ids and not millions of passwords against one user id.

Like PIN on bank cards, if you can put a virus on a large stores point of sale network so that it tries the PIN of 1234 on every card, you can crack one in 10,000 cards but you don't care which ones.

Never use your banking password on another computer and don't use things like "password-fb" for facebook since there are tools that will try "password-eb" on ebay with the same email address if it ever is found in one of these huge dumps.

It would be interesting if Mike or Drew would say how many password scans they see.

Stone Meadow:Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.

A lot longer than that, most web-based stuff has a throttle on how many login attempts can be made for a given account. Even something like 10 or 15 seconds between logins pushes that up well past the point where it's more time-efficient to try to steal the passwords by other means.

Basically, brute force can't really be used to crack anything useful nowadays. This is why, as the above post mentions, the closest to brute techniques get tends to be common password and bruted account-name instead.

lordargent:Stone Meadow: Even a ridiculously simple password like "Mom4!" takes a random brute force more than a week to crack*.

10k guesses per second?

Stone Meadow: I should clarify that it takes more than a week (at 10k attempts per second)

There are people running hashcat doing 450k attempts per second against truecrypt.

10k per second is laughably slow in today's computing power.

Relax...that was the graphic I could find with a quickie GIS. The point remains that a bit of complexity and added length make one's password a lot less vulnerable than those who can't be bothered. Think of it as the old adage about being chased by the bear: I don't have to outrun the bear...I just have to outrun you. ;^)

kg2095:fang06554: So, 95% of people who accidentally install keyloggers are those with retarded passwords.

The same dumbos that click on dodgy web ads are the same dumbos that choose stupid passwords.

1. One doesn't have to click an ad to be owned by it. If an ad isn't vetted properly and contains a little script of nastiness, your browser will digest it after loading the page. Once again, your browser simply downloading and displaying the ad can and will get you owned. This was happening with YouTube's ad rotator this year, to give you an idea of the types of dodgy websites the "dumbos" of the world can get pwned by.

2. Regarding permissions, which someone else referred to - Before we start blindly referring to these people as idiots who indiscriminately install software, let's remember how exploitation works. Malware doesn't ask a vulnerable system to install software, in many cases it just does it - silently. Last I checked we don't know the vector by which this was installed, but your culprits will be either spam, drive by exploit kit, or a heavy dose of both. Obviously the former is much easier to avoid and people get less sympathy for opening the "resume.exe" type email attachments; however commodity exploit kits are all over, they're stealthy, and have become quite sophisticated.

My two cents - Malware no longer hides in the obvious deep dark corners of the internet, and the commodity stuff can be incredibly clever. The picture really is quite bleak.

Stone Meadow:DON.MAC and Jim_Callahan, your points are well taken. I was just giving a quick primer on the numerical difficulty involved...not the practicalities.

The numerical difficulty isn't important, only the practicality. Password crackers have gotten so good that only long, random strings are safe for now. Phrases that would take trillions of trillions of years to brute force have been cracked because they have been found in literature. Even simple phrases translated from English to Russian have been cracked.

Stone Meadow : Relax...that was the graphic I could find with a quickie GIS. The point remains that a bit of complexity and added length make one's password a lot less vulnerable than those who can't be bothered.

Against brute forcing, yes, but brute forcing is the absolute last tool in a crackers toolbox, password cracking algorithms are far more advanced today.

The password you provided (Mom4!) contains a dictionary word, so would fall to a hybrid dictionary attack fairly quickly (take common words from the dictionary, run them through mutators to generate common variations (IE, people replace e with 3, i with 1, etc).

And every breach that reveals passwords allows the black hats to tune those algorithms even more (because those passwords represent passwords that were actually used in the wild).

lordargent:The password you provided (Mom4!) contains a dictionary word, so would fall to a hybrid dictionary attack fairly quickly (take common words from the dictionary, run them through mutators to generate common variations (IE, people replace e with 3, i with 1, etc).

Not only that but it's a standard construction that you see when a password policy is in place: Dictionary word, first letter capitalised, appended with number and special. I have JtR rules that specifically handle that form as well as the usual substitutions which means things like P@$$w0rd123! fall in seconds. The more specific the password policy, the tighter I can build the attack mask.

Kerr Avon:lordargent: The password you provided (Mom4!) contains a dictionary word, so would fall to a hybrid dictionary attack fairly quickly (take common words from the dictionary, run them through mutators to generate common variations (IE, people replace e with 3, i with 1, etc).

Not only that but it's a standard construction that you see when a password policy is in place: Dictionary word, first letter capitalised, appended with number and special. I have JtR rules that specifically handle that form as well as the usual substitutions which means things like P@$$w0rd123! fall in seconds. The more specific the password policy, the tighter I can build the attack mask.

// though interestingly enough, "correct" and "horse" are on this list (pdf) of the top 1000 most common words, but "battery" and "staple" are nowhere to be found. Which makes me wonder how old the list is because since the advent of cell phones and the like I would think at least "battery" would break the top 1000 these days.

Now if you start doing substitutions into those words, the security goes way up BUT, that defeats the whole purpose of correcthorsebatterystaple (which was to make a secure, but easy to memorize, password. Start throwing letter substitutions and numbers in there and all you have is a really long password using the traditional methods).

// me, I do keyboard patterns, it's not in the dictionary, it's easy to add letters and punctuation, it's easy to remember, and as an added bonus, I don't know the actual password (so you can't get it via a psychic probe ... err, I've revealed too much).

I think I'll just use an anagram of my name. It's 26 letters long. And to make a complete and satisfying anagram I have to cheat by several letters.

Throw in a couple of symbols, numbers, capitals and I'm laughing, Baby! The anagram websites inform me that an anagram that long would take millions of years to find. I can break my name up into shorter anagrams for less secure requirements.

A lot of my older, weaker passwords consist of the first letters of a line of favourite poetry, or some common phrase, such as "God, I hate this farking job, it's driving me crazier than Sarah Palin."

GIhtfjidmctSP2013

There's a good one. You're welcome.

The advantage of poetry is that you can create multiple passwords from a single short poem if you have memorized one. If you have memorized some other texts, such as Bible verses or the Gettysburg address, prose works just as well.

At some jobs I used lines or titles of books, a sort of primitive book code, using a book that is always to hand, either one I was reading at the time or a manual, dictionary, or what not. Now that I have a Kindle, I have a lot of books I can use to generate book codes, thus meeting the requirement of changing passwords frequently.

Some of my earlier passwords contain unintentional but usefull spelling errors or typos. If you make a mistake, be a geek: say it's not a mistake, say it's a feature.